Information stealers have become a core component of modern cybercrime, driven by their availability, ease of use, rapid evolution, and direct path to monetization. This talk examines Stealerium and PhantomStealer, two closely related infostealer families that demonstrate how open-source and so-called (and sometimes, falsely-claimed) “ethical hacking” tools are routinely repurposed for real-world attacks.

The session begins with background on Stealerium’s origins, overlap with other families, and distribution models, including how multiple threat actors leverage and modify the malware. We will explore the technical relationship between Stealerium and PhantomStealer, highlighting areas of code reuse and key differences in functionality. From there, we’ll dive into technical analysis of the malware, covering what data these stealers target, ranging from browser credentials and Wi-Fi information to cryptocurrency wallets, clipboard data, and content flagged as “Not Safe for Work,” which may be used to support sextortion activity.

The presentation also breaks down Stealerium’s unique exfiltration methods, including the use of uncommon services such as GoFile and ZulipChat, along with its anti-analysis and anti-sandbox techniques. Finally, we’ll examine notable campaigns, attack chains, and practical methods for tracking, detecting, and mitigating Stealerium using configuration extraction and behavioral indicators.